highsystemunverified
Set GRUB bootloader password (UEFI)
grub-password-uefi · RHEL ≥ 8 · 1 impl
Description
On UEFI systems the GRUB superuser password hash must be present in /boot/efi/EFI/redhat/user.cfg (a grub.pbkdf2.sha512 entry) to prevent unauthorized boot-parameter changes or single-user access.
Rationale
Without a bootloader password an attacker with console access can edit kernel parameters or enter single-user mode to gain root.
Check → Remediate
Checkcommand
if [ ! -d /sys/firmware/efi ]; then echo "NOT APPLICABLE: system booted via BIOS, not UEFI" exit 0 fi if grep -iqE 'grub2_password|password_pbkdf2' /boot/efi/EFI/redhat/user.cfg 2>/dev/null; then echo "OK: UEFI GRUB superuser password is set" exit 0 fi echo "FAIL: no GRUB password in /boot/efi/EFI/redhat/user.cfg" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Run grub2-setpassword (writes /boot/efi/EFI/redhat/user.cfg).
Framework references
STIG
V-230234 / RHEL-08-010140
NIST 800-53
AC-3
#grub#bootloader#uefi#physical-security#stig